1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations

Panther Cloud SIEM Setup for Workbench

This guide helps you set up the Panther Cloud SIEM security device in Workbench.

Prerequisites

  1. You must have organization admin permissions in Workbench.
  2. You must have sufficient permissions in Panther to invite new users, create an API token, and set up webhook connections.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create an Expel User Account in Panther
  2. Create an API Token for Expel
  3. Add Panther Cloud SIEM as a Security Device in Workbench
  4. Obtain the Webhook Credentials
  5. Set Up the Webhook Connection in Panther

Step 1: Create an Expel User Account in Panther

Expel needs a user account in order to access your Panther console. Why do we ask for console access?

  1. Log in to Panther.
  2. Select the gear icon at the top of the landing page.
  3. Select the Users option from the dropdown menu. 
  4. Select Invite User, and complete the fields as follows:
    • First Name - enter "Expel".
    • Last Name - enter "SOC Analysts".
    • Email - enter "soc+<your_company_name>@expel.io".
    • Role - select Analyst.
  5. Save the new user, then make sure it appears on the Users page.

Step 2: Create an API Token for Expel

API access allows Expel to obtain investigative context for the incoming Panther alerts (we obtain those alerts via a webhook, which you will set up in Step 5).

  1. Still in Panther, select the gear icon at the top of the landing page.
  2. Select the API Tokens option from the dropdown menu. 
  3. Select Create an API Token.
  4. Enter a name for the token of your choosing, then set the access permissions as follows (these permissions exist in separate categories):
    • Panther AI: N/A
    • User Management: View Users
    • Alerts: View Alerts
    • Detections: View Rules, View Policies
    • Analysis: N/A
    • Data: Run Log Searches
    • Integrations: View Cloud Security Sources, View Log Sources
    • Enrichment: N/A
    • Configuration: N/A
    • IP Restrictions: N/A 
  5. After the permissions are set, select Create API Token to generate the token. Save the token information to a safe place, as you will need it when you set up the security device in Workbench.
  6. Select Done.
  7. Next, obtain the GraphQL API URL (found at the top of the API Tokens page) and save it to a safe place. You will also need this URL when you set up the security device in Workbench.

Step 3: Add Panther Cloud SIEM as a Security Device in Workbench

Before you begin, make sure you have the API token and API URL from the previous section.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Panther” and then select the Panther Cloud SIEM integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Panther”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • API key - enter the API token you created in Step 2.
    • API URL - enter the API URL you obtained in Step 2.
    • Select Save.
  6. Select Set up later from the console access dropdown. Our SOC will set up console access on our end, using the Expel user that you created in Step 1.
  7. Select Save.
  8. Your device should be created successfully within a few seconds. A few reminders:
    • You will need to set up the webhook (Step 5) before you will see any alerts come through for the device.
    • You must then allow time (about 48 hours) for us to tune the new device
    • To check on the device status at any time, select the downward arrow for the device in the first column and choose View details.

Step 4: Obtain the Webhook Credentials

The webhook allows Expel to obtain your Panther alerts. Workbench will generate the webhook credentials for the security device after it is created. You must go back into the newly created device to obtain those credentials, which you will use to configure the webhook connection in Panther.

  1. Still on the Security Devices page, locate the device you created in Step 3.
  2. Select the arrow beside the device name, and then select View details from the dropdown menu (if you need help with this process, see View Security Device Details).
  3. Select the Information screen, and then look for Connection Settings.
    • If you are unable to see these settings, contact Support for help obtaining your webhook credentials.
  4. View and save the following values, which you will need when you configure the alert destination in the next section:
    • Webhook Password
    • Webhook URL
    • Webhook Username

Step 5: Set Up the Webhook Connection in Panther

You will now add the webhook to Panther so that it can send alerts to Workbench. You will do this via an alert destination.

  1. In the Panther console, navigate to Configure > Alert Destinations.
  2. Select Create New > Expel.
  3. Enter a Display Name of your choosing (the name should indicate clearly that this is the Expel webhook destination).
  4. Paste in the webhook URL, username, and password values from Step 4.
  5. Select all Severity Levels.
  6. In Default Alert Types, select the following values:
    • Correlation Rule Matches
    • Rule Matches
    • Rule Errors
    • Scheduled Rule Matches
  7. In Log Types, leave blank to send all log types.
  8. Select Add Destination.
  9. Still in the Panther console, verify the webhook connectivity:
    • Find any Panther alert and check its audit log.
    • The log will indicate whether or not the alert was sent successfully to Expel via the webhook.

Troubleshooting

  • If you are unable to set up a successful connection, check to make sure you did not filter the log types in Step 5 (you should be sending us all log types).
  • If you are not seeing any alerts in your Panther console, reach out to Panther support.

Related articles